Abstract
High bandwidth DDoS attacks consume more resources and have direct impact at ISP level in contrast to low rate DDoS attacks which lead to graceful degradation of network and are mostly undetectable. Although an array of detection schemes have been proposed, current requirement is a real time DDoS detection mechanism that adapts itself to varying network conditions to give minimum false alarms. DDoS attacks that disturb the distribution of traffic features in ISP domain are reflected by entropic variations on in stream samples. We propose honeypot detection for attack traffic having statistically similar distribution features as legitimate traffic. Next we propose to calibrate the detection mechanism for minimum false alarm rate by varying tolerance factor in real time. Simulations are carried out in ns-2 at different attack strengths. We also report our experimental results over MIT Lincoln lab dataset and its subset KDD 99 dataset. Results show that the proposed approach is comparable to previously reported approaches with an advantage of variable rate attack detection with minimum false positives and negatives.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bencsath, B., & Vajda, I. (2004). Protection against DDoS attacks based on traffic level measurements. In Western Simulation MultiConference, USA.
Blazek, R. B., Kim, H., Rozovskii, B., & Tartakovsky, A. (2001). A novel approach to detection of denial-of-service attacks via adaptive sequential and batch sequential change-point detection methods. IEEE Systems, Man and Cybernetics Information Assurance Workshop, 2001.
CERT Coordination Centre. (1997). Denial of service Attacks. http://www.cert.org/tech_tips/denial_of_service.html.
Cheng, C. M., Kung, H. T., & Tan, K. S. (2002). Use of spectral analysis in defense against DoS attacks. In Proceedings of IEEE GLOBECOM, pp. 2143–2148.
Computer Crime Research Center. (2004). CSI/FBI Computer Crime and Security Survey. http://www.crime-research.org/news/11.06.2004/423/.
Elkan, C. (2000). Results of the KDD’99 classifier learning. SIGKDD Explorations, 1, 63–64. doi:10.1145/846183.846199.
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., & Stolfo, S. (2002). A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In Applications of Data Mining in Computer Security, Kluwer.
Gil, T. M., & Poletto, M. (2001). Multops: A data-structure for bandwidth attack detection. In USENIX Symposium.
KDD’99 datasets. (1999). The UCI KDD Archive. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, Irvine, CA, USA.
Kim, T., & Lee, S. (2005). Security evaluation Targets for enhancement of IT systems assurance. In ICCSA 2005, Springer LNCS 3481, pp. 491–498.
Lakhina, A., Crovella, M., & Diot, C. (2005). Mining anomalies using traffic feature distributions. In SIGCOMM’05, Pennsylvania, USA.
Mahoney, M., & Chan, P. (2003). An analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In Proceedings of RAID, Pittsburgh, USA.
Mirkovic J., Reiher P. (2004) A taxonomy of DDoS attack and DDoS defense mechanisms. In ACM SIGCOMM Computer Communications Review 34: 39–53
Mirkovic, J., Prier, G., & Reiher, P. (2002). Attacking DDoS at the source In ICNP (pp 312–321). MIT Lincoln Laboratory, DARPA Intrusion Detection Evaluation, MA, USA. http://www.ll.mit.edu/IST/ideval/.
Moore, D., Voelker, G., & Savage, S. (2001). Inferring Internet Denial-of-Service Activity In 10th USENIX Security Symposium.
NS Documentation: http://www.isi.edu/nsnam/ns.
Sardana, A., Kumar, K., & Joshi, R. C. (2007). Detection and honeypot based redirection to counter DDoS attacks in ISP domain. In IEEE IAS 2007, pp. 191–196, UK.
Sardana, A., Joshi, R. C., & Kim, T. H. (2008). Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDoS attacks in ISP domain. In ISA 2008, pp. 270–275, Busan.
Spitzner, L. (2003). Definitions and value of honeypots. Addison- Wisley
Author information
Authors and Affiliations
Corresponding author
Additional information
The work is an extension of our earlier paper presented in the Second International Conference on Information Security and Assurance (ISA 2008) held from 24 to 26 April 2008, in Busan, South Korea.
Rights and permissions
About this article
Cite this article
Sardana, A., Joshi, R.C., Kim, Th. et al. Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDoS attacks in ISP domain: honeypot based approach. J Intell Manuf 21, 623–634 (2010). https://doi.org/10.1007/s10845-008-0204-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10845-008-0204-3